Updated password over wired not updating to wireless

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
We have an implemented password policy in our network setup.  Users are alerted when their domain passwords are nearing expiration. Users are able to successfully change their password on their desktops by pressing ctr+alt+del. The problem is if they try to login to their laptop using either the new or old password, they are denied. Only way for them to get the password update/change is on a wired connection. I would like behavior to be the same on a wired connection.

This is an Extreme end to end solution.  We have Identifi controllers and Extreme NAC's.
Photo of Thomas Maddox

Thomas Maddox

  • 432 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,894 Points 20k badge 2x thumb
Hi Thomas,

so I assume in the LAN there is no 802.1X /authentication on the LAN port and that is the reason the users could change the password - correct ?

If not please explain in more detail how the LAN setup is different from the WLAN.

You also wrote "Users are alerted when their domain passwords are nearing expiration."
Are wireless clients able to change the password if it's still valid - that isn't clear from your posting.

-Ron
Photo of Thomas Maddox

Thomas Maddox

  • 432 Points 250 badge 2x thumb
Yes you are correct.  No 802.1X auth. on the LAN.  We only have enough licensing on the NAC's to cover the wireless side.  We have MAC auth. on the LAN. Password changes are successful through the WLAN the change is initiated through it first.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,894 Points 20k badge 2x thumb
Photo of Thomas Maddox

Thomas Maddox

  • 432 Points 250 badge 2x thumb
Yes I checked it out before posting this question. That post is directed to passwords that have expired.  My issue is updating existing valid passwords.
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Thomas,

That post DOES apply to your case.

The problem with expired passwords is that they are no longer valid, and that is exactly your case when the user password has been changed somewhere else. The notebook caches Windows logon information (user/password) and uses that information to log the notebook to 802.1x. But the stored password is the old one and will be rejected by the DC because it is no longer valid.

Check this article about SingleSignOn: https://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx

If you have Single Sign On enabled (probably), Windows will log the notebook to the 802.1x protected SSID before asking for Windows user credentials.





Which credentials will it use depends on whether EAP MSCHAP v2 is configured to use stored Windows logon credentials or not.



If it is configured to use stored Windows logon credentials... guess what? It will use the OLD credentials, because those were the ones used the last time there was a successful login. If you uncheck "Automatically use my Windows logon name...", 802.1x should ask for username/password each time it connects to wireless.

The alternative is to connect the notebook through a wired connection and login with the new password, which will refresh the stored credentials. Or create the "remediation" SSID with no security indicated in
https://community.extremenetworks.com/extreme/topics/reset-expired-password-over-wireless
(Edited)